Bug#998206: calendar: cronjob processes all users’ calendars as root, allowing information disclosure

2023-02-20 Thread Michael Meskes 


All,

> calendar.c forks, so there is no need to regain privileges post
> setuid(). I'm kinda with tg in that setres[ug]id() makes the intent
> clearer instead of relying on uid==0 behavior.

FYI I just uploaded a new version of the package.

It turned out setres[ug]id() are not declared in the current build
process. I don't like adding the declaration manually and getting
unistd.h to declare it would mean defining __USE_GNU which may or may
not have side effects. Therefore I figured to play it safe and use
set[ug]id() instead.

Thanks,
Michael
-- 
Michael Meskes
Michael at Fam-Meskes dot De
Michael at Meskes dot (De|Com|Net|Org)
Meskes at (Debian|Postgresql) dot Org

Bug#998206: calendar: cronjob processes all users’ calendars as root, allowing information disclosure

2022-10-16 Thread Philipp Kern 
Hi,

On Wed, Dec 08, 2021 at 12:11:28PM +, Thorsten Glaser wrote:
> Michael Meskes dixit:
> 
> >I did some more testing and it seems this simple patch fixes the issue:
> 
> I think you should still include a setgroups(0, NULL) call there.
> 
> Personally I’d prefer setres[ug]id() because that makes the intent
> more explicit even when the effect is the same, but… I’ll let you
> and the security team decide.

Gentle bump for this issue. Also shouldn't patching out setusercontext
and having no substitute get a CVE? >:)

calendar.c forks, so there is no need to regain privileges post
setuid(). I'm kinda with tg in that setres[ug]id() makes the intent
clearer instead of relying on uid==0 behavior.

Kind regards
Philipp Kern

Bug#998206: calendar: cronjob processes all users’ calendars as root, allowing information disclosure

2021-12-08 Thread Thorsten Glaser 
Michael Meskes dixit:

>I did some more testing and it seems this simple patch fixes the issue:

I think you should still include a setgroups(0, NULL) call there.

Personally I’d prefer setres[ug]id() because that makes the intent
more explicit even when the effect is the same, but… I’ll let you
and the security team decide.

bye,
//mirabilos
-- 
“It is inappropriate to require that a time represented as
 seconds since the Epoch precisely represent the number of
 seconds between the referenced time and the Epoch.”
-- IEEE Std 1003.1b-1993 (POSIX) Section B.2.2.2

Bug#998206: calendar: cronjob processes all users’ calendars as root, allowing information disclosure

2021-12-07 Thread Michael Meskes 
> As
> I understand it, this is the POSIX way. Anyway, I'm going to prepare
> a
> patch.

I did some more testing and it seems this simple patch fixes the issue:

--- calendar.c  2021-12-07 17:53:16.044315761 +0100
+++ calendar.c  2021-12-07 08:59:20.293726904 +0100
@@ -190,6 +190,8 @@
case 0: /* child */
(void)setpgid(getpid(), getpid());
(void)setlocale(LC_ALL, "");
+   if (setgid(pw->pw_gid) != 0 ||
setuid(pw->pw_uid) != 0)
+   err(1, "unable to switch to
user %u group %u", pw->pw_uid, pw->pw_gid);
if (acstat) {
if (chdir(pw->pw_dir) ||
stat(calendarFile, )
!= 0 ||

Any comments?

@security team: Do you want me to prepare a fix for stable, too?

Michael
-- 
Michael Meskes
Michael at Fam-Meskes dot De
Michael at Meskes dot (De|Com|Net|Org)
Meskes at (Debian|Postgresql) dot Org

Bug#998206: calendar: cronjob processes all users’ calendars as root, allowing information disclosure

2021-12-03 Thread Michael Meskes 
> > Could you elaborate why? I cannot see much of a difference in these
> > when it comes to the topic at hand. Doesn't set[ug]id set all ids
> > to
> > the given one?
> 
> No, it only sets one of the three (real, effective and saved) uid/gid
> to the given one; setres[ug]id() is the one that sets them all.

Actually I think that's only correct if you're running under a non-root
uid. If your effective uid is 0 all uids will be set to the given value
and thus there is no way back for the application to be root again. As
I understand it, this is the POSIX way. Anyway, I'm going to prepare a
patch.

Thanks,
Michael
-- 
Michael Meskes
Michael at Fam-Meskes dot De
Michael at Meskes dot (De|Com|Net|Org)
Meskes at (Debian|Postgresql) dot Org

Bug#998206: calendar: cronjob processes all users’ calendars as root, allowing information disclosure

2021-12-02 Thread Thorsten Glaser 
Michael Meskes dixit:

>Could you elaborate why? I cannot see much of a difference in these
>when it comes to the topic at hand. Doesn't set[ug]id set all ids to
>the given one?

No, it only sets one of the three (real, effective and saved) uid/gid
to the given one; setres[ug]id() is the one that sets them all.

bye,
//mirabilos
-- 
Gestern Nacht ist mein IRC-Netzwerk explodiert. Ich hatte nicht damit
gerechnet, darum bin ich blutverschmiert… wer konnte ahnen, daß SIE so
reagier’n… gestern Nacht ist mein IRC-Netzwerk explodiert~~~
(as of 2021-06-15 The MirOS Project temporarily reconvenes on OFTC)

Bug#998206: calendar: cronjob processes all users’ calendars as root, allowing information disclosure

2021-12-02 Thread Michael Meskes 
> >Wouldn't using setuid() suffice?
> 
> I doubt that. At least change the gid and reset the auxilliary

Sure, make that setuid() and setgid().

> groups vector. But using setres[ug]id() is safer, especially
> considering each instance shells out to cpp(1), which would
> then otherwise be suid-user.

Could you elaborate why? I cannot see much of a difference in these when it
comes to the topic at hand. Doesn't set[ug]id set all ids to the given one? Why
is that less safe? 

Thanks,
Michael
-- 
Michael Meskes
Michael at Fam-Meskes dot De
Michael at Meskes dot (De|Com|Net|Org)
Meskes at (Debian|Postgresql) dot Org

Bug#998206: calendar: cronjob processes all users’ calendars as root, allowing information disclosure

2021-12-02 Thread Thorsten Glaser 
Michael Meskes dixit:

>Wouldn't using setuid() suffice?

I doubt that. At least change the gid and reset the auxilliary
groups vector. But using setres[ug]id() is safer, especially
considering each instance shells out to cpp(1), which would
then otherwise be suid-user.

bye,
//mirabilos
-- 
11:56⎜«liwakura:#!/bin/mksh» also, i wanted to add mksh to my own distro │
i was disappointed that there is no makefile │ but somehow the Build.sh is
the least painful built system i've ever seen │ honours CC, {CPP,C,LD}FLAGS
properly │ looks cleary like done by someone who knows what they are doing

Bug#998206: calendar: cronjob processes all users’ calendars as root, allowing information disclosure

2021-12-02 Thread Michael Meskes 
> I did manage to cobble together something that at least switches
> to users properly… search for USE_CUSTOM_USERSWITCH or userswitch in
> http://www.mirbsd.org/cvs.cgi/src/usr.bin/calendar/calendar.c?rev=HEAD
> combined with…
> ...

Wouldn't using setuid() suffice? Yes, I know setusercontext() does more, but in
this case we only need to make sure the right user opens the file. Or what am I
missing?

Michael
-- 
Michael Meskes
Michael at Fam-Meskes dot De
Michael at Meskes dot (De|Com|Net|Org)
Meskes at (Debian|Postgresql) dot Org

Bug#998206: calendar: cronjob processes all users’ calendars as root, allowing information disclosure

2021-12-01 Thread Thorsten Glaser 
Michael Meskes dixit:

>Hmm, not sure what I'm doing wrong. Using the same entries in my calendar file 
>I get:
>
>michael@feivel:~$ calendar

Right, but do enable the cronjob. “calendar -a” runs as root.
Or try sudo calendar -a which is basically the same then watch
your mail. (You’ll also need to change the dates, of course.)

The patch to remove the setusercontext call is wrong, basically.
Turns out fixing this (I was independently porting a different
BSD calendar codebase) is rather hard and probably involves PAM
magic way out of my experience. I asked at
https://listman.redhat.com/archives/pam-list/2021-November/msg0.html
but that mailing list seems to be mostly dead.

I did manage to cobble together something that at least switches
to users properly… search for USE_CUSTOM_USERSWITCH or userswitch in
http://www.mirbsd.org/cvs.cgi/src/usr.bin/calendar/calendar.c?rev=HEAD
combined with…

/* better than nothing… */
#define userswitch(pw) (\
!!setresgid((pw)->pw_gid, (pw)->pw_gid, (pw)->pw_gid) ||\
/*  \
 * not correct (should switch to user’s supplemental\
 * group vector) but sufficient until someone sends \
 * a workable alternative…  \
 */ \
!!setgroups(0, NULL) || \
!!setresuid((pw)->pw_uid, (pw)->pw_uid, (pw)->pw_uid)   \
)

… in calendar-mirbsd-20211101/debian/port/port.h but it lacks
not only setting the groups vector but also things like limits,
environment variables and the likes.

Unless you happen to have a PAM expert at hand, you might wish
to at least apply something similar. In your package, at least
the cronjob is disabled by default, so it hits less users, but
it’s still risky.

bye,
//mirabilos
-- 
[...] if maybe ext3fs wasn't a better pick, or jfs, or maybe reiserfs, oh but
what about xfs, and if only i had waited until reiser4 was ready... in the be-
ginning, there was ffs, and in the middle, there was ffs, and at the end, there
was still ffs, and the sys admins knew it was good. :)  -- Ted Unangst über *fs

Bug#998206: calendar: cronjob processes all users’ calendars as root, allowing information disclosure

2021-12-01 Thread Michael Meskes 
[Sorry, I have missed this bug report, didn't make it into the correct mailbox 
locally it seems.]

On Mon, Nov 01, 2021 at 12:02:48AM +, Thorsten Glaser wrote:
> #define·ssh·Nov·01→ ssh
> #include·"/root/.ssh/authorized_keys"

Hmm, not sure what I'm doing wrong. Using the same entries in my calendar file 
I get:

michael@feivel:~$ calendar 
:3:2: fatal error: /root/.ssh/authorized_keys: Permission denied
compilation terminated.

Michael
-- 
Michael Meskes
Michael at Fam-Meskes dot De
Michael at Meskes dot (De|Com|Net|Org)
Meskes at (Debian|Postgresql) dot Org

Bug#998206: calendar: cronjob processes all users’ calendars as root, allowing information disclosure

2021-10-31 Thread Thorsten Glaser 
Dixi quod…

>contents of files that start with a cpp-able string *and* contain
>a tab somewhere after that (because calendar(1) does not call cpp(1)
>with -traditional-cpp, which is another minor bug in the port), but

I was mistaken, it does call it like that, and it does work:

#define·ssh·Nov·01→ ssh
#include·"/root/.ssh/authorized_keys"

bye,
//mirabilos
-- 
> Hi, does anyone sell openbsd stickers by themselves and not packaged
> with other products?
No, the only way I've seen them sold is for $40 with a free OpenBSD CD.
-- Haroon Khalid and Steve Shockley in gmane.os.openbsd.misc

Bug#998206: calendar: cronjob processes all users’ calendars as root, allowing information disclosure

2021-10-31 Thread Thorsten Glaser 
Package: calendar
Version: 12.1.7+nmu3
Severity: serious
Tags: security
Justification: security
X-Debbugs-Cc: t...@mirbsd.de, Debian Security Team 

I was wondering how Debian’s calendar(1) packaging handled the
setusercontext(3) part, and after finding d/p/calendar_cap.diff
I see it just… does away with it õÕ

This allows wonderful information disclosure:

tglase@tglase-nb:~ $ cat .calendar/calendar 
Nov 01  Allerheiligen
#define Def Nov 01
#define Job Nov 01
#define Mem Nov 01
#define Usr Nov 01
#include "/root/.toprc"
tglase@tglase-nb:~ $ cat /root/.toprc
cat: /root/.toprc: Permission denied

↓   ↓   ↓

From: Reminder Service 
Message-ID: <20211031232839.c72361c3...@tglase-nb.lan.tarent.de>
To: tgl...@tglase-nb.lan.tarent.de
Date: Mon,  1 Nov 2021 00:28:39 +0100 (CET)
Subject: Monday's Calendar

Nov 01  Allerheiligen
Nov 01  fieldscur=AEhIOQTrspvuWbcdfgjyzlKNMX
winflags=65208, sortindx=10, maxtasks=0
summclr=6, msgsclr=6, headclr=7, taskclr=7
Nov 01  fieldscur=ABcefgjlrstuvyzMKNHIWOPQDX
winflags=62776, sortindx=0, maxtasks=0
summclr=6, msgsclr=6, headclr=7, taskclr=6
Nov 01  fieldscur=ANOPQRSTUVbcdefgjlmyzWHIKX
winflags=62776, sortindx=13, maxtasks=0
summclr=5, msgsclr=5, headclr=4, taskclr=5
Nov 01  fieldscur=ABDECGfhijlopqrstuvyzMKNWX
winflags=62776, sortindx=4, maxtasks=0
summclr=3, msgsclr=3, headclr=2, taskclr=3


This is *mildly* mitigated by the fact that you can only extract
contents of files that start with a cpp-able string *and* contain
a tab somewhere after that (because calendar(1) does not call cpp(1)
with -traditional-cpp, which is another minor bug in the port), but
I believe people can and will find creative ways to extract more.

/root/.wget-hsts can be used to see whether a given host was already
contacted, for example.

-- System Information:
Debian Release: 11.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable-debug'), (500, 'oldstable-updates'), (500, 'oldoldstable'), (500, 
'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/2 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)

Versions of packages calendar depends on:
ii  cpp  4:10.2.1-1
ii  libbsd0  0.11.3-1
ii  libc62.31-13+deb11u2

calendar recommends no packages.

calendar suggests no packages.

-- Configuration Files:
/etc/cron.daily/calendar changed:
. /etc/default/calendar
[ x$RUN_DAILY = xtrue ] || exit 0
[ -x /usr/sbin/sendmail ] || exit 0
if [ ! -x /usr/bin/cpp ]; then
  echo "The cpp package is needed to run calendar."
  exit 1
fi
/usr/bin/calendar -a

/etc/default/calendar changed:
RUN_DAILY=true


-- no debconf information